Article

Who needs security assessments?

Ben Downton, Principal Security Consultant
November, 2015
4 mins read

A security assessment (or penetration test) of an organization or system is often commissioned by the IT or Security function, but the report and consequential recommendations will influence many others. The results must be put into context for each particular audience if they are to be useful to the organization as a whole. We explain how to best present and explain these results.

Management Board

Starting at the top, the management board reviews the risk exposure and determines what constitutes an acceptable level of risk to ensure a sustainable and resilient organization. This sets the context for any issues identified during the assessment, and without this input none of the other functions can...well, function.

 

The management board will require evidence of any high-level organizational issues that mean their view of risk exposure (or even risk appetite) could be misaligned. 

 

Results needed: Evidence of organizational or environmental changes that require an adjustment to policy or risk appetite 

 

Executive Committee

The executive committee looks at strategic risk that could threaten long-term objectives. The cxecutive committee therefore needs information that will help define the risk strategy.

 

A lot of this information, such as threat intelligence and business objectives, is gathered prior to defining the security strategy. Gaps in the approach, or even changes in the threat landscape, will manifest as vulnerabilities identified during the assessment. Following an assessment therefore, the committee will need information about the effectiveness of that strategy and recommendations to cover previously unknown areas of risk. 

 

Results needed: Updates to the strategy required to address 'blind spots'

 

Management

Management perform analysis and tactical management of risk at an enterprise level, setting compliance objectives and standards that must be met. The assessment must therefore identify where failures in process have led to the presence of vulnerabilities.

 

If management are provided the correct information, issues can be addressed holistically at the source in a far more efficient manner. An example could be a weakness arising due to a lack of secure coding skills in the development team, requiring training to ensure that future vulnerabilities are not introduced. 

 

 Results needed: Mapping of individual issues to process failures or capability gaps

 

Employees

Employees are responsible for risk identification and treatment of risk. This could be indirect (through simply following the policies laid out by the management team) or direct involvement in resolving issues.

 

In most cases the recommendations from the assessment will be directly consumed by the employees responsible for implementing them - the IT team making system changes or business analysts making process changes. Employees may also require evidence of the assessment as part of an awareness exercise - demonstrating the purpose behind security policies or controls.

 

Results needed: Technical recommendations and remedial action for individual issues

 

Internal Audit & Risk Management

Internal audit and risk management are primarily concerned with reporting of risks, and so the results of any assessment will need to be quantifiable and fit into any current reporting systems.

 

The team also needs information on where controls that have been implemented are ineffective, to ensure that the most complete view of risk exposure can be presented to the audit and risk committee. 

 

Results needed: Compliance metrics against internal baselines, and details of any failing controls

 

Audit & Risk Committee

The audit and risk committee is responsible for providing assurance that threats are being managed and opportunities are being seized. 

 

The committee will therefore need to know of the threat scenarios that most concern the company, which could be realized. This takes the technical findings and determines whether the issues identified would allow an attacker to achieve a particular objective.

 

Results needed: Real-world impact, supported by threat intelligence and temporal or environmental information

 

Summary

The value you gain from security assessments can be markedly improved with better input (from your team), and better output (from your appointed assessors). We can see from above that the most valuable result will detail:

  • The control failures that led to the vulnerability
  • The business impact that it has on the company (in the context of the company's risk appetite)
  • The possibility of that vulnerability being exploited to achieve a particular objective
  • The action required to resolve the vulnerability
  • The organizational change needed to ensure the vulnerability is not introduced elsewhere

 

With this information, the entire organization can make a reliable and informed decision about how to address security, and ensure that spending is appropriate, proportional and effective. The gold standard for any business.

 

 

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs